To prevent employees sabotaging your organisation, you must understand the way they think.
There’s a mantra in Hollywood that ‘every villain is the hero of their own story’. It serves as a reminder that well-written bad guys believe that their actions are justified, no matter the cost.
However, it doesn’t only apply to films. It’s something that can be applied to everyday scenarios to understand why bad people do bad things.
There are plenty of wrongdoers in the cyber security industry, but their motives are usually disappointingly simple: their need for money is more important than the collateral damage their cyber crime will cause.
However, there is one group of cyber crooks whose motives are worth investigating: malicious insiders.
Who are malicious insiders?
A malicious insider is a current or former employee, contractor or business partner who steals sensitive information or sabotages their organisation’s systems. All they need is access to sensitive information and a motive to misappropriate it.
Most malicious action is committed for the same reasons as any other type of crime:
Business is full of tough decisions, and that sometimes means employees feel hard done by. Occasionally, the slighted employee decides to strike back.
There are a couple of scenarios in which this can happen. The first is when an employee has been fired or resigned. This kind of insider is particularly dangerous if they can log in to their work account remotely and the organisation doesn’t remove their access rights immediately.
That’s because the employee will be acting on emotion, recklessly sabotaging the organisation without considering how to avoid detection.
The second scenario occurs when perpetrators are ‘disgruntled’. This could be for any number of reasons, but it’s usually associated with employees who were passed up for a promotion or who don’t like the way the business is being run.
Whatever the circumstances, the perpetrator’s attack(s) will usually be more thought out and harder to detect. Their objective might involve personal gain, such as embezzling money or stealing information to sell on the dark web, or they might simply want the organisation to suffer, for example by shutting down business processes or redirecting information.
Security experts often say that ‘personal data is the new currency’. That’s a slight exaggeration (good luck trying to pay rent with your email address), but the point remains: everyone is trying to get their hands on personal data, and many business activities are designed with information-gathering potential in mind rather than profitability.
But it’s not only organisations that value personal data. It’s also highly lucrative to cyber criminals and, by extension, the people who are willing to trade with them.
Your average employee might not know how to find a cyber criminal, but like so many of life’s mysteries, it can easily be Googled.
That doesn’t necessarily make cyber crime easy, because – as with crime generally – the two biggest obstacles tend to be people’s moral compass and their fear of being caught. These factors don’t go away just because you’re dealing with virtual loot and a faceless buyer over the Internet.
But things can change if you put someone in the wrong circumstance. There are countless examples of people who have turned to crime when they need money. They might know their actions are wrong, but tell themselves that there’s no other option and what they’re doing isn’t that bad. Or that it’s a one-time thing, or a victimless crime.
These motivations are much easier to reconcile with one’s sense of right and wrong when it comes to cyber crime, because the culprit isn’t causing any damage directly; they are a middleman, and the knock-on effects of their actions aren’t immediately obvious.
The Office Space problem
Whether enacting revenge or stealing for personal gain, malicious actors generally believe that they are the Robin Hood-type taking from an evil corporation.
That supposition doesn’t come from nowhere. Think about how often society encourages us to vilify the wealthy or to see our bosses as the enemy. Hollywood, for example, which has to remind its writers that bad guys have motives, seems more preoccupied with blue-collar revenge narratives that justify criminal behaviour.
Perhaps the most revered example of this, at least when it comes to malicious insiders, is Office Space, which tells the story of Peter Gibbons (played by Ron Livingston), a put-upon computer programmer who decides to get back at his employer by committing fraud.
Along with two colleagues, he inserts a piece of malware into the organisation’s systems that’s intended to siphon off fractions of a cent at a time and transfer the money into a personal account.
The film covers more or less every motive for malicious action. Peter is in a dead-end job, he’s disrespected by his boss, he’s in a hostile work environment, his colleagues/co-conspirators are about to be laid off and they all want money.
But here’s the problem: even though the film is satirical – and even then it doesn’t allow its heroes to triumph (they abandon the scheme after discovering the malware had stolen more than $300,000 in just a few days) – it’s still reluctant to condemn the scheme.
There’s no scene in which Peter realises that no matter how badly treated he is at work, that doesn’t give him the right to steal money. In fact, the only lesson he seems to learn is that he should have planned better.
Don’t try this at home
You could argue that Office Space’s refusal to judge its characters is a major reason for its prolonged success. The film celebrates its twentieth anniversary this month, yet the workplace revenge fantasy is as pertinent now as ever.
A growing number of people are dissatisfied at work, with a 2015 YouGov survey reporting that 37% of Britons think their job is meaningless. Meanwhile, the pro-revenge movement is booming, and the Internet has made it easier than ever to commit malicious action (though it’s also created more rigorous paper trails, making it easier to catch crooks after the fact).
Although most insider attacks fail, this should be of little comfort to organisations. The damage will still be done, and the effects could be long-lasting.
An even bigger concern is that it’s almost impossible to anticipate malicious action. It’s rarely obvious who in your office might be plotting against you or who will be consumed by revenge after being laid off.
There are limited measures to mitigate the threat (such as access controls), but the only truly effective defence is a strong organisational culture. Although this sounds straightforward – keep your staff happy and they won’t turn against you – it’s something plenty of employers need to work on.
How to prevent malicious insiders
You can learn more about the way malicious insiders operate and how to stop them by reading Insider Threat – A Guide to Understanding, Detecting, and Defending Against the Enemy from Within.
In this guide, Dr Julie E. Mehan explains:
- Common characteristics of insider threats;
- Typical stages of a malicious attack;
- Steps you can take to implement a successful insider threat programme; and
- How to create an effective security culture.
IT Governance is your one-stop shop for information security and regulatory compliance. Our range of books, toolkits, training courses, staff awareness solutions and consultancy services can help you with whatever you’re looking for, and our blog helps you stay informed of the latest industry news and advice.